PolicyKit: Branch 'master'
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Wed May 24 13:06:51 UTC 2023
data/polkit.service.in | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
New commits:
commit 25eef55dddbf0b4d635fbdd508710b496be80d9c
Author: Jan Rybar <jrybar at redhat.com>
Date: Wed May 24 13:06:49 2023 +0000
Harden systemd service
diff --git a/data/polkit.service.in b/data/polkit.service.in
index 88138e8..2113ff7 100644
--- a/data/polkit.service.in
+++ b/data/polkit.service.in
@@ -5,6 +5,33 @@ Documentation=man:polkit(8)
[Service]
Type=dbus
BusName=org.freedesktop.PolicyKit1
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
ExecStart=@libprivdir@/polkitd --no-debug
User=@polkitd_user@
Group=@polkitd_user@
+IPAddressDeny=any
+LimitMEMLOCK=0
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ProtectClock=yes
+ProtectHostname=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+UMask=0077
More information about the hal-commit
mailing list